Yes, it’s now official. The IRS has extended the individual tax deadline to May 17. However, when it comes to the IRS requirement for a Written Data Security Plan, there are no changes. As tax professionals it is our responsibility to have and to implement this plan to keep our clients’ data safe and to mitigate security risks for our firm as well—no matter what happens with tax deadlines.
If you don’t have any idea where to start when it comes to writing your Data Security Plan keep reading and check out my previous article, “Tax Season is No Time to Be Sweating the IRS Requirements,” where I cover the first three steps of creating a Written Data Security Plan which I am calling “The Assessment Phase.”
As a refresher, the first three steps of creating the IRS required Written Data Security Plan are:
- Include the names of all your information security program managers in the plan.
- Identify and assess the risks to customer information.
- Evaluate the risks and current safety measures in place.
These three steps will give you enough information about potential gaps in your current data security program. The last three steps we’re delving into here are part of the “Implementation Phase” where you will create and put your plan in place. So let’s dive in and get your Written Data Security Plan done!
Step 4: Design and implement a safeguards program. In this step you will take the information you gathered from the previous three steps and begin to develop a detailed program to protect customer information. You’ll need to keep in mind your firm’s size and complexity, the nature and scope of your business activities and the sensitivity of the client information you handle—which for tax preparers is at the top of the sensitivity scale. For help assessing your risks and creating a plan I recommend getting third-party help. I used the experts at Securex to make sure I had the right safeguards and protocols in place. It really helps to get an objective view from professionals who focus specifically on helping tax and accounting firms fulfill the IRS requirements!
Depending on your firm’s needs you may need to add or omit certain safeguards, develop employee training and control access to sensitive information. At a very high level, these are some of the most important factors to consider but a comprehensive plan will address multiple layers and levels of data security customized to your firm’s specific structure.
Step 5: Put your data security program in place. This step is pretty self-explanatory but it can be one of the hardest to achieve. At this point, you have used all the information that was collected about who has access to sensitive information, the risks associated with it in addition to the current safety measures already in place to create a comprehensive plan. The ultimate goal is to give our clients the best service possible and ensure their information that they entrusted to us will be safe. To do this, everyone on your team needs to be on the same page with the plan. This means employees need to be trained on new protocols, access to sensitive information needs to be limited, passwords need to be updated, and all of the other key processes and procedures in your Written Data Security Plan must be implemented.
Step 6: Regularly monitor and test the program. Of course, a plan like a Written Data Security Plan is something that must evolve over time to change the needs of your clients, your firm and the IRS requirements. After the plan is in place and working, you have to make sure it is still doing the job it was built to do. If there are risks or shortcomings found, revisions need to be made and implemented as soon as possible to keep your client’s information secure and safe and your firm as free from data security issues as possible.
Take a two-hour break from tax prep to get your Written Data Security Plan completed.
One of the key reasons I recommend working with a third-party provider to get your Written Data Security Plan in place is because it will save you a ton of time while also ensuring you have all of your bases covered when it comes to the IRS requirements and the best practices to protect your clients and your firm.
Remember, if the IRS asks for a copy of your plan and you aren’t able to produce one it can result in some hefty fines. Even if you have a plan you need to make sure it covers all of the bases set out by the IRS. Check out Securex, to help you check this requirement off your to-do list. In about two hours, their specialists will work with you to get the information required for your firm’s comprehensive Written Data Security Plan and you can finish out tax season assured that you truly are doing your due diligence as a trusted tax professional!
